Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | osborne-fitzgerald |
View: | 213 times |
Download: | 0 times |
Fraud – A Data Analysis ApproachKansas City ISACA
10/13/2011
Michael T Hoesing CISA, CISSP, CCP, CIA, CFSA, ACDA, CMA, [email protected]
Any procedures discussed herein should be tested before applying them to your production data. Content is the opinion of the author and not the conference sponsor, clients, employers past present nor future, friends nor relatives. Don’t sue me, I have no money.
Agenda• Characteristics of Fraud• Manifestations of Fraud in Data• Examples
Payroll – Phantom EmployeesMasterfiles – nefarious editsLazy Thieves – even dollar
amountsKickbacks – overpricingAnd a couple IT Audit ideas
Non-Agenda• Employee / Vendor Address
Matching using SAS www.auditnet.org/docs/dupaddr.doc
• Duplicate Payments using web-caat http://ezrstats.com/Xampp/home.html
• Split Procurements https://www.acl.com/pdfs/Training_Finding_Split_Txns.pdf
• P-Card http://www.tampagov.net/dept_internal_audit/files/apg/appurchasecard.pdf
Characteristics of Fraud• The What (1)
Enrichment of the perp (damages)Deception and reliance thereonConcealment or Omission
• The Triangle of Why (1)
Incentive (motive) or Pressure OpportunityRationalization (money, ideology,
ego, coercion)
Characteristics of Fraud• The Who ACFE 2008 Report to the Nation on Occupational Fraud and Abuse
Internal, Trusted, 64% one person fraud Males cases resulted in larger losses 67% educated and had larger losses, 33%
of perps had no college, 6-10 years with the company had largest
losses 87% First fraud (no prior charges or
convictions) When anytime, Where your organization
Manifestation of Fraud in Data
• Direct (altered or faked records) the organizations records have been
changed or fictitious record(s) created search for unusual data behavior and
compare to any source data perp does not have access to
Indirect (kickbacks)Trending – horizontal analysisCompare organization data to independent
data
Examples – Phantom Employee
• Very Difficult to create all aspects of an employee, the Payroll record is created, but other pieces maybe notBenefits ElectionsPhysical Access Cards/BadgesPhone, Parking Permit, Food Day
Participation…System Access (missing or inappropriate)
Analysis Approach Obtain the individual data pieces and
create an complete picture (scope??)
Examples – Phantom Employee (2)
Analysis Techinques acquire data files (Payroll, HR, Facilities,
Benefits, Logical Access ..), Are they perfect? Are they usable?
aggregate a complete employee picture using the JOIN command
normalize any fields needed to combine the files (empid may not always be present), may have to use an name as a key field,
maybe first name & last name in one file and a long name in another file
Phantom Employee – the data
Examples – Phantom Employee (3)
Character Field Normalization (JOIN) Type – both should be character, but if not STRING
will convert a numeric (VALUE – char to numeric) Case – both should be the same, UPPER or LOWER or
PROPER Justification – leading and trailing blanks should be
the same ALLTRIM removes both (keeps interior “ “) Length – both should be the same, SUBSTR (both
shortens and LENGTHENS) Consistent Content – INCLUDE & EXCLUDE good or
bad characters Incorrect Content – REPLACE
{REPLACE(namefield,BLANKS(2), BLANKS(1) will remove double spaces}
Phantom Employee – harmonize keys
SUBSTR(EXCLUDE(UPPER(ALLTRIM( Employee_Name)), ","), 1, 25)
EXCLUDE(UPPER(ALLTRIM( First_Name)), ",") + BLANKS( 1) +
EXCLUDE(UPPER(ALLTRIM( Last_Name)), ",")
Examples – Phantom Employee (4)
Results Analysis On Payroll, No Logical Access ID –
possible phantom employee (Unmatched Primary)
(warning scope creep)
ID present but –not On Payroll – possible phantom ID (Unmatched Secondary)
High Pay relative to position Incorrect (elevated) Access Rights
Application Access – All Exceptions (sometimes explain each other)
Alen SmithDabney Pratt
Jen Appleton
Penny Cooper
Bilbo Nishnabotna
Ralph ConnerYakov PhillipsSean O’LearyVeritas Backup
Alan SmithDab Pratt
Darrel PayneJen Everroad
Lindsey HihandPenny Spring
Red Nishnabotna
Ykov Phillips
Darrel Payne
Lindsey Hihand
Ralph ConnerSean O’Leary
Veritas Backup
Automate(continuous) – with scripting
• COMMENT ***** Set the environment, clear previous artifacts and • COMMENT ***** Remove all valiables (if this script has NOT been modified to create permanent variables).• SET SAFETY OFF• SET FILTER• SET INDEX• SET FOLDER /A_Phantom_Employees_and_IDs/a1_Source_Files• CLOSE• CLOSE SECONDARY• DELETE ALL OK• ASSIGN v_continue = "Continue"• DELETE verifyoutput.vfy OK
• COMMENT ***** This script a Lgical Acess files and a Pyroll file. names are matched to determine• COMMENT ***** if all employees who work here have an ID (if not possible phamtom employee).• COMMENT ***** if all IDs are assigned to an employee (excluding exceptions for service accounts)• COMMENT ***** (if not that may be a possible phantom ID).
• COMMENT ***** Set the default path for reading source data files.• ASSIGN v_path = "C:\Data\00_Current_Work\09_IIA_Regional_08_29-30_2011\ACL_Fraud_Detection\"
• COMMENT ***** Obtain the Payroll and Logical Access spreadsheets• COMMENT ***** Run STATISTICS for balancing purposes• COMMENT ***** VERIFY all feilds, if any errors, let the user decide whether to continue• IMPORT EXCEL TO Logical_Access "%v_path%Logical_Access.fil" FROM "ABC_Application_Access_12_31_2010.xls" TABLE "Access" CHARMAX 50 KEEPTITLE
• IMPORT EXCEL TO Payroll "C:\Data\00_Current_Work\09_IIA_Regional_08_29-30_2011\ACL_Fraud_Detection\Payroll.fil" FROM "ABC_Payroll_12_31_2010.xls" TABLE "Payroll" CHARMAX 50 KEEPTITLE• OPEN Payroll• STATISTICS ON Gross_Pay TO SCREEN NUMBER 5• VERIFY ALL TO %v_path%verifyoutput.vfy ERRORLIMIT 999• IF FILESIZE("%v_path%verifyoutput.vfy") <> 0 DIALOG (DIALOG TITLE "User Dialog" WIDTH 638 HEIGHT 196 ) (BUTTONSET TITLE "&OK;&Cancel" AT 252 168 DEFAULT 1 HORZ ) (TEXT TITLE " 'The VERIFY command returned errors for the Payroll file. Please chose which action the script is to take.'" AT 48 16 WIDTH 561 HEIGHT 33 ) (DROPDOWN TITLE "Stop;Continue" TO
"v_continue" AT 276 72 DEFAULT 1 )• IF v_continue = "Stop" ESCAPE
• OPEN Logical_Access• STATISTICS ON Date_Created TO SCREEN NUMBER 5• VERIFY ALL TO %v_path%verifyoutput.vfy ERRORLIMIT 999• IF FILESIZE("%v_path%verifyoutput.vfy") <> 0 • DIALOG (DIALOG TITLE "User Dialog" WIDTH 638 HEIGHT 196 ) (BUTTONSET TITLE "&OK;&Cancel" AT 252 168 DEFAULT 1 HORZ ) (TEXT TITLE " 'The VERIFY command returned errors for the Logical Access file. Please chose which action the script is to take.'" AT 60 28 WIDTH 546 HEIGHT 31 ) (DROPDOWN TITLE "Stop;Continue" TO "v_continue" AT 276 72 DEFAULT 1 )• IF v_continue = "Stop" ESCAPE
• COMMENT ***** Create normalized computed name fields to facilitate the JOIN command• OPEN Payroll• IF FTYPE("Long_Name_Payroll") <> "" DELETE FIELD Long_Name_Payroll OK• DEFINE FIELD Long_Name_Payroll COMPUTED EXCLUDE(UPPER(ALLTRIM( First_Name)), ",") + BLANKS( 1) + EXCLUDE(UPPER(ALLTRIM( Last_Name)), ",")
• OPEN Logical_Access• IF FTYPE("Long_Name_Access") <> "" DELETE FIELD Long_Name_Access OK• DEFINE FIELD Long_Name_Access COMPUTED SUBSTR(EXCLUDE(UPPER(ALLTRIM( Employee_Name)), ","), 1, 25)
• COMMENT ***** Combine the two tables based on the newly created key fields,• COMMENT ***** the harmonized employee long name in both tables, using JOIN.• COMMENT ***** Include all record types (matched, unmatched primary, unmatched secondary)• COMMENT ***** to enable a filter for possible phantom employee's { ISBLANK(Long_Name_Access)}• COMMENT ***** which shows the unmatched secondary records.• COMMENT ***** WARNING: This next step is scope creep and could get you fired (or rewarded• COMMENT ***** for being creative), filter for possible phantom ID's { ISBLANK(Long_Name_Payroll)}• COMMENT ***** which shows the unmatched primary records.• SET FOLDER /A_Phantom_Employees_and_IDs/a2_Intermediate_Files• OPEN Payroll• OPEN Logical_Access SECONDARY• JOIN PKEY Long_Name_Payroll FIELDS ALL SKEY Long_Name_Access WITH ALL PRIMARY SECONDARY TO "Payroll_Access_Join_name" OPEN PRESORT SECSORT• OPEN "Payroll_Access_Join_name"
• SET FOLDER /A_Phantom_Employees_and_IDs/a3_Results• EXTRACT RECORD IF Long_Name_Access <> Long_Name_Payroll TO "Phantom_Employees_and_IDs" OPEN• DEFINE VIEW Reporting_Results OK• DEFINE COLUMN Reporting_Results Long_Name_Payroll AS "Long Name;Payroll"• DEFINE COLUMN Reporting_Results Long_Name_Access AS "Long Name;Access"• DEFINE COLUMN Reporting_Results App_User_ID AS "Application;User ID"• DEFINE COLUMN Reporting_Results App_Profile AS "Application;Profile"• DEFINE COLUMN Reporting_Results Department• DEFINE COLUMN Reporting_Results Position• DEFINE COLUMN Reporting_Results Gross_Pay WIDTH 12 PIC "-999,999.99" AS "Gross Pay"• DEFINE COLUMN Reporting_Results Pay_Type AS "Pay;Type"• DEFINE COLUMN Reporting_Results Date_Hired AS "Date;Hired" POS 8• DEFINE COLUMN Reporting_Results Status AS "Payroll;Status"• DEFINE COLUMN Reporting_Results Status2 AS "Access;Status"
• COMMENT ***** Reset the environment• SET SAFETY ON• DISPLAY VARIABLES
Masterfile EditsChange
Vendor RTA & DDA - money goes to the perp’s account
Employee Withholding – change the sign and money gets added to the paycheck instead of subtracted
AR – change the credit terms and the client will reward the perp
Inventory – lower the QOH and put the rest in the trunk of the car
Masterfile Edits (2)Analysis Technique
obtain 2 copies of the masterfile data at different points in time (assumes the structure of the file did not change in the interim)
compare for unmtached fields Results Analysis
trace to authorized changes (may or may not be stored in accessible electronic format)
Masterfile Edits - JOINAnalysis Technique
file order is important, start with the oldest file (if you start with the newest, some unmatched records will be due to a new vendor addition)
What we want is changes, so start the JOIN with the older file and chose UNMATCHED result file type (this will also capture deleted vendors)
• OPEN Vendor_Master_June_2011 PRIMARY• OPEN Vendor_Master_July_2011 SECONDARY• JOIN PKEY Vendnum bank account FIELDS ALL SKEY Vendnum bank account WITH ALL
UNMATCHED TO "Vendor_Banking_Changes" OPEN PRESORT SECSORT
Masterfile Edits - Script• COMMENT ***** Set the environment, clear previous artifacts and • COMMENT ***** Remove all valiables (if this script has NOT been modified to create permanent variables).• SET SAFETY OFF• SET FILTER• SET INDEX• SET FOLDER /B_Masterfile_Edits/b1_Source_Files• CLOSE• CLOSE SECONDARY• DELETE ALL OK• DELETE verifyoutput.vfy OK• COMMENT ***** Set the default path for reading source data files.• ASSIGN v_path = "C:\Data\00_Current_Work\09_IIA_Regional_08_29-30_2011\ACL_Fraud_Detection\"• ASSIGN v_continue = "Continue"
• COMMENT ***** This script compares two versions of the same masterfile for vendors• COMMENT ***** over two different time periods. Both files are created by the same system• COMMENT ***** therefore no field harmonization is needed. The matching will be done• COMMENT ***** on not the typical key feild (vendor number) but rather on the field we wish• COMMENT ***** to analyze for changes (bank number and account number, combined with vendor number)
• COMMENT ***** Obtain the prior then the current vendor masterfiles.• COMMENT ***** Run COUNT for balancing purposes• COMMENT ***** VERIFY all feilds, if any errors, let the user decide whether to continue• COMMENT ***** Test the bank number (RTA or RTN number) is 9 digits exactly• IMPORT DELIMITED TO Vendor_Master_June_2011 "Vendor_Master_June_2011.fil" FROM "Vendor_Master_06_2011.txt" 0 SEPARATOR "," QUALIFIER '"' CONSECUTIVE STARTLINE 1 FIELD "Vendnum" C AT 1 DEC 0 WID 6 PIC "" AS "Vendor;Number" FIELD "Vendname" C AT 7 DEC 0 WID 27 PIC "" AS "Vendor;Name" FIELD "address" C AT 34 DEC 0 WID 14 PIC "" AS "Street Address"
FIELD "city" C AT 48 DEC 0 WID 5 PIC "" AS "City" FIELD "state" C AT 53 DEC 0 WID 2 PIC "" AS "State" FIELD "zip" C AT 55 DEC 0 WID 5 PIC "" AS "Zip;Code" FIELD "phone" C AT 60 DEC 0 WID 10 PIC "" AS "Phone;Number" FIELD "bank" C AT 70 DEC 0 WID 9 PIC "" AS "bank;RTN" FIELD "account" C AT 79 DEC 0 WID 10 PIC "" AS "Bank DDA;Number" • OPEN Vendor_Master_June_2011• COUNT• VERIFY ALL TO %v_path%verifyoutput.vfy ERRORLIMIT 999• IF FILESIZE("%v_path%verifyoutput.vfy") <> 0 DIALOG (DIALOG TITLE "ABC Co - Masterfile Changes" WIDTH 638 HEIGHT 196 ) (BUTTONSET TITLE "&OK;&Cancel" AT 252 168 DEFAULT 1 HORZ ) (TEXT TITLE " 'The VERIFY command returned errors for the first (oldest) vendor masterfile. Please chose which action the script is to take.'" AT 120 16 WIDTH 411 HEIGHT 44 )
(DROPDOWN TITLE "Stop;Continue" TO "v_continue" AT 276 72 DEFAULT 1 )• IF v_continue = "Stop" ESCAPE• SET FILTER TO NOT MAP(bank, "999999999")• COUNT• IF COUNT1 <> 0 PAUSE "The first (oldest) file has incorrectly structured bank RTN number(s)."• IF COUNT1 <> 0 ESCAPE
• IMPORT DELIMITED TO Vendor_Master_July_2011 "Vendor_Master_July_2011.fil" FROM "Vendor_Master_07_2011.txt" 0 SEPARATOR "," QUALIFIER '"' CONSECUTIVE STARTLINE 1 FIELD "Vendnum" C AT 1 DEC 0 WID 6 PIC "" AS "Vendor;Number" FIELD "Vendname" C AT 7 DEC 0 WID 27 PIC "" AS "Vendor;Name" FIELD "address" C AT 34 DEC 0 WID 14 PIC "" AS "Street Address" FIELD "city" C AT 48 DEC 0 WID 5 PIC "" AS "City" FIELD "state" C AT 53 DEC 0 WID 2 PIC "" AS "State" FIELD "zip" C AT 55 DEC 0 WID 5 PIC "" AS "Zip;Code" FIELD "phone" C AT 60 DEC 0 WID 10 PIC "" AS "Phone;Number" FIELD "bank" C AT 70 DEC 0 WID 9 PIC "" AS "bank;RTN" FIELD "account" C AT 79 DEC 0 WID 10 PIC "" AS "Bank DDA;Number"
• OPEN Vendor_Master_July_2011• COUNT• VERIFY ALL TO %v_path%verifyoutput.vfy ERRORLIMIT 999• IF FILESIZE("%v_path%verifyoutput.vfy") <> 0 DIALOG (DIALOG TITLE "ABC Co - Masterfile Changes" WIDTH 638 HEIGHT 196 ) (BUTTONSET TITLE "&OK;&Cancel" AT 252 168 DEFAULT 1 HORZ ) (TEXT TITLE " 'The VERIFY command returned errors for the first (oldest) vendor masterfile. Please chose which action the script is to take.'" AT 120 16 WIDTH 411 HEIGHT 44 )
(DROPDOWN TITLE "Stop;Continue" TO "v_continue" AT 276 72 DEFAULT 1 )• IF v_continue = "Stop" ESCAPE• SET FILTER TO NOT MAP(bank, "999999999")• COUNT• IF COUNT1 <> 0 PAUSE "The second (newest) file has incorrectly structured bank RTN number(s)."• IF COUNT1 <> 0 ESCAPE
• COMMENT ***** For the JOIN, start with the oldest file as the Primary and use an UnMatched Primary type of result.• COMMENT ***** this will capture two types of mismatches, vendors that were removed (or their bank account• COMMENT ***** information was removed) and vendors whose bank account information was changed. • COMMENT ***** Starting with the newest file would produce a mismatch for all new vendors, which is maybe• COMMENT ***** a separate audit, or separate audit step.• SET FOLDER /B_Masterfile_Edits/b3_Results• OPEN Vendor_Master_June_2011 PRIMARY• OPEN Vendor_Master_July_2011 SECONDARY• JOIN PKEY Vendnum bank account FIELDS ALL SKEY Vendnum bank account WITH ALL UNMATCHED TO "Vendor_Banking_Changes" OPEN PRESORT SECSORT• COMMENT ***** However, the new file will have no information from the newest month's file.• COMMENT ***** Create an INDEX to the newest month file based on the vendor number• COMMENT ***** then show in the view the bank information that changed in the newest month. • COMMENT ***** First check to see that there are no duplicate vendor numbers in the newest month.• OPEN Vendor_Master_July_2011• DUPLICATES ON Vendnum TO %v_path%duplicates.dup• IF FILESIZE("%v_path%duplicates.dup") <> 0 DIALOG (DIALOG TITLE "ABC Co - Masterfile Changes" WIDTH 638 HEIGHT 196 ) (BUTTONSET TITLE "&OK;&Cancel" AT 252 168 DEFAULT 1 HORZ ) (TEXT TITLE " 'The DUPLICATES command shows that the Vendnum field is not unique in the newest file. Please chose which action the script is to take.'" AT 120 16 WIDTH 411 HEIGHT
44 ) (DROPDOWN TITLE "Stop;Continue" TO "v_continue" AT 276 72 DEFAULT 1 )• IF v_continue = "Stop" ESCAPE• INDEX ON Vendnum TO "Newestmaster_Index_Vendnum"• OPEN Vendor_Banking_Changes• DEFINE RELATION Vendnum WITH Vendor_Master_July_2011 INDEX Newestmaster_Index_Vendnum• DEFINE VIEW Default_View• DELETE COLUMN Default_View bank OK• DELETE COLUMN Default_View account OK• DEFINE COLUMN Default_View bank AS "Bank RTN;Number;Prior" POSITION 2 • DEFINE COLUMN Default_View account AS "Account;Number;Prior" POSITION 3 • DEFINE COLUMN Default_View Vendor_Master_July_2011.bank AS "Bank RTN;Number;Current" POSITION 3• DEFINE COLUMN Default_View Vendor_Master_July_2011.account AS "Account;Number;Current" POSITION 4
• COMMENT ***** Create flags to denote when either the bank RTN number or the account number changed (or both).• DEFINE FIELD c_bank_change COMPUTED• flag to filter on NOT ISBLANK• "***" IF bank <> Vendor_Master_July_2011.bank• BLANKS(1)• DEFINE FIELD c_account_change COMPUTED• flag to filter on NOT ISBLANK• "***" IF account <> Vendor_Master_July_2011.account• BLANKS(1)• DEFINE COLUMN Default_View c_bank_change AS "WARNING;Bank;Change" POSITION 4 WIDTH 8• DEFINE COLUMN Default_View c_account_change AS "WARNING;Account;Change" POSITION 7 WIDTH 8
• COMMENT ***** Reset the environment• SET SAFETY ON• DISPLAY VARIABLES
Even Dollar AmountsSometimes we get lucky
Some perps are lazyNot all analysis techniques need to be
complexFilter the dollar amounts:
MOD(amount, 1000) = 0Usually combined with sorting While we have purchases, what else?Use multiple techniques, pick and
choose
Even Dollar Amounts – Example Data
"PO-1001","V15000","P5678",07/01/2011,"Administration","1234-5678-9021",10,16.14,161.40,12.13,173.53,"staplers""PO-1002","V99999","P1234",07/01/2011,"Administration","1234-5678-9012",1,1000.00,1000.00,0.00,1000.00,"food day""PO-1003","V82123","P1267",07/01/2011,"Marketing","1234-5660-9012",65,8.00,520.00,17.23,537.23,"glosseys""PO-1004","V82123","P1267",07/01/2011,"Marketing","1234-5660-9087",1,2000.00,2000.00,0.00,2000.00,"booth rent""PO-1005","V10000","P1009",07/01/2011,"Production","1234-5652-9001",129,0.77,99.33,51.23,150.56,"raw materials""PO-1006","V20000","P1129",07/01/2011,"Production","1234-5652-9300",1,600.00,600.00,0.00,600.00,"travel""PO-1007","V50500","P1050",07/01/2011,"Production","1234-5652-9100",1,250.00,250.00,0.00,250.00,"machine rent""PO-1008","V51000","P1050",07/01/2011,"Production","1234-5652-9110",1,789.34,789.34,0.00,789.34,"repairs""PO-1009","V10000","P1009",07/01/2011,"Production","1234-5652-9001",7251,1.02,7396.02,104.77,7500.79,"raw materials""PO-1010","V10001","P1009",07/01/2011,"Production","1234-5652-9010",1,166.43,166.43,12.99,179.42,"shop supplies""PO-1011","V99999","P1234",07/02/2011,"Marketing","1234-5660-9012",1,1000.00,1000.00,0.00,1000.00,"food day""PO-1012","V56750","P1234",07/03/2011,"Production","1234-5652-9101",1,48.43,48.43,0.00,48.43,"fuel""PO-1013","V99999","P1234",07/03/2011,"Production","1234-5652-9012",1,1000.00,1000.00,0.00,1000.00,"food day""PO-1014","V10000","P1009",07/05/2011,"Production","1234-5652-9001",1356,2.77,3756.12,66.94,3823.06,"raw materials""PO-1015","V15000","P5678",07/05/2011,"Administration","1234-5678-9021",10,8.49,84.90,6.30,91.20,"staples""PO-1016","V15000","P5604",07/06/2011,"Administration","1234-5678-9021",10,9.12,91.20,0.00,91.20,"staples""PO-1017","V20000","P1354",07/06/2011,"Marketing","1234-5660-9300",1,3567.89,3567.89,0.00,3567.89,"travel to Elbonia""PO-1018","V99999","P1354",07/06/2011,"Marketing","1234-5660-9999",1,10000.00,10000.00,0.00,10000.00,"influence""PO-1019","V52000","P1100",07/07/2011,"Production","1234-5660-1700",1,100000.00,100000.00,7312.45,107312.45,"new machine""PO-1020","V50001","P1050",07/07/2011,"Production","1234-5660-9200",1,869.45,869.45,0.00,869.45,"gas""PO-1021","V50002","P1050",07/07/2011,"Production","1234-5660-9200",1,2319.67,2319.67,0.00,2319.67,"electricity""PO-1022","V50000","P1050",07/07/2011,"Production","1234-5660-9210",1,4000.00,4000.00,0.00,4000.00,"building rent""PO-1023","V80000","P2001",07/08/2011,"Administration","1234-5678-9500",1,1527.50,1527.50,0.00,1527.50,"insurance""PO-1024","V90000","P2001",07/08/2011,"Administration","1234-5678-9801",1,300.00,300.00,0.00,300.00,"license""PO-1025","V81000","P2001",07/08/2011,"Administration","1234-5678-9865",1,260.00,260.00,19.60,279.60,"copier lease""PO-1026","V15000","P5604",07/11/2011,"Administration","1234-5678-9021",10,9.12,91.20,0.00,91.20,"staples""PO-1027","V15000","P5604",07/11/2011,"Administration","1234-5678-9021",3100,19.99,61969.00,0.00,61969.00,"staplers""PO-1028","V20000","P1354",07/11/2011,"Marketing","1234-5660-9300",1,5367.89,5367.89,0.00,5367.89,"travel""PO-1028","V20000","P1400",07/12/2011,"Marketing","1234-5660-9300",1,1209.83,1209.83,0.00,1209.83,"travel""PO-1029","V10000","P1009",07/13/2011,"Production","1234-5652-9001",4219,2.00,8438.00,411.56,8849.56,"raw materials"
KickbacksA: Trend (horizontal analysis)
Analyze a cost over time or between vendors and look for dramatic increases
May not be appropriate for volatile market sensitive items (gasoline)
Will not detect the scheme if it started before the trend time period
B: Compare to external pricing data (similar to JOIN techniques shown earlier)
Kickbacks – the data"I1001","V15000",01/10/2011,10,10.00,100.00,8.35,108.35"I1002","V99999",01/10/2011,1,50.00,50.00,4.12,54.12"I1003","V82123",01/10/2011,5,20.00,100.00,9.82,109.82"I1001","V15000",01/17/2011,1,10.01,10.01,5.10,15.11"I1002","V99999",01/17/2011,1,50.00,50.00,4.13,54.13"I1003","V82123",01/17/2011,5,20.00,100.00,9.81,109.81"I1001","V15000",01/24/2011,1,10.02,10.02,5.10,15.12"I1002","V99999",01/24/2011,1,50.00,50.00,4.13,54.13"I1003","V82123",01/24/2011,5,20.00,100.00,9.81,109.81"I1001","V15000",01/31/2011,1,10.02,10.02,5.10,15.12"I1002","V99999",01/31/2011,1,50.00,50.00,4.13,54.13"I1003","V82123",01/31/2011,5,20.10,100.50,9.81,110.31"I1001","V15000",02/07/2011,10,10.00,100.00,8.35,108.35"I1002","V99999",02/07/2011,2,60.00,120.00,8.12,128.12"I1003","V82123",02/07/2011,5,20.00,100.00,9.82,109.82"I1001","V15000",02/14/2011,1,10.01,10.01,5.10,15.11"I1002","V99999",02/14/2011,2,60.00,120.00,8.13,128.13"I1003","V82123",02/14/2011,5,20.00,100.00,9.81,109.81"I1001","V15000",02/21/2011,1,10.02,10.02,5.10,15.12"I1002","V99999",02/21/2011,2,60.00,120.00,4.13,128.13"I1003","V82123",02/21/2011,5,20.00,100.00,9.81,109.81"I1001","V15000",02/28/2011,1,10.02,10.02,5.10,15.12"I1002","V99999",02/28/2011,2,60.00,120.00,8.11,128.11"I1003","V82123",02/28/2011,5,20.20,101.00,9.80,110.80
Kickbacks – the dataSix Months (could be more)Product Number, Vendor Number
Unit CostAnalyze individual purchase unit
cost over a series of months, isolate large % change
Analyze monthly average cost
IS Audit Topic – Logical Access
Many frauds have an excessive logical access element
Do you know which are the super (and semi-super) user?
Password expiration dates?Last used dates?
IS Audit Topic – Logical Access (cont)
Active Directory says a lotData can be extracted for free with
W2K8 built-in toolsCreate a CSV ( csvde –f filename)
file load it into your favorite toolSlice n Dice – which user is in
which groups, which groups contains which users
(there are commercial tools)
IS Audit Topic – [AD dates are a hoot]
Dates /time- is stored in number that is 100-nanosecond intervals that have elapsed since 1/1/1601. A nanosecond is 1 billionth of a second, 10 million of these intervals would equal one second
109,197 + 11 = 109,208 days from 1/1/1601 to 1/1/1901http://www.timeanddate.com/date/duration.html
The current Gregorian calendar was adopted in United States where Thursday, September 3, 1752 was the first of 11 days that were skipped.
So-128942788883593750 = Sun Aug 9, 2009 08:08:08UTChttp://www.chrisnowell.com/information_security_tools/
date_converter/Windows_active_directory_date_converter.asp
Allow a day or two – my formula rounds and I don’t know how accuracte these links are
IS Audit Topic – [AD dates are a hoot] (cont)
Three key (but not all) date fields: pwdLastSet, lastLogon, accountExpires
Examples User01, date Password Last Set 128943076749375000
/ 10,000,000 (to get seconds)/ 60 (to get minutes)
/ 60 (to get hours)/24 (to get days)
- 109,208 days (to get to 1/1/1900)- Add result to `19000101` to get the date
AD - memberOf“memberOf” is the fields that contains the groups in
which this user belongsExample =
CN=High,CN=Users,DC=ACLTest,DC=com;CN=Low,CN=Users,DC=ACLTest,DC=com
“;” semicolon separates each groupThe “CN=“ (common name) indicates:
First – Group nameSecond – Container category (Builtin – domain local scope,
Users – domain global scope)
The “DC=“ (domain controller) indicates:First – domain nameSecond – domain type
AD – memberOf (2)Warning -“memberOf” does not display
the complete subsidiary members for nested groups, see part II group analysis
Confusing – lots of similar objectsname – login namedisplayName – spelled out long namedistinguishedName – name w domain
& .com
AD – Users and their Groups Solution Approach
1. Isolate the “user” objectClass2. Create a short view with the 3 names plus
objectClass and memberOf3. Count the number of “;”s in memberOf4. STATISTICS ON COUNT of the “;”s, MAX1 plus
one will be the most groups for any user5. Create, up to, MAX1 conditional computed
fields, cycling through 1 or more for each group a user potentially belongs to, SPLITing on the “;” , the SPLIT again on “CN=“ (as long as memberOf is not blank)
AD – Groups and their Users Solution Approach
1. Create a list of each name where the objectClass is “group”
2. Read that new file one record at a time, using the name field contents to search the larger AD file, but only where the objectClass = “user”
3. Create a separate file for each group name, and extract the group name and the user name fields if the group name is found within a users record (in any group, first, second, third…)
4. Continue looping through the remaining group names
5. Only save the lists that have results (delete empty files)
AD Groups & Users – Key ACL Command & Functions
IMPORT DELIMITED ………………………………..VERIFY ALLSUMMARIZE ON ….. TO …..DEFINE FIELD ….. COMPUTED (conditional) SET FILTER TO …..DEFINE REPORT ….. DEFINE COLUMN ……..OCCURSNOT ISBLANKSTATISTICS ON …… ASSIGN …….. = MAX1DO SCRIPT ….. WHILE ……..SUBSTR(SPLIT(SPLIT( ………….)…….) ……)LOCATE RECORDEXTRACT FIELDS ………. TO ……… IF………..FIND(……,
<groupname>)DELETE ….. IF ….. DELETE FORMAT …… IF…..
Computer Fraud Casebook , The Bytes that Bite 2009 AAF
Joseph T Wells ,Wiley & Sons Inc• www.acfe.com Assn of Certified Fraud Examiners• ACFE 2008 Report to the Nation on Occupational Fraud and Abuse• (1) “Forensic Accounting and Fraud Examination” Kranacher, Riley, Wells, Wiley 2011
• Overwhelmingly, excessive logical access (see earlier slides)– Weak passwords– Functionality expansion over years
• Theft of IT Assets• Use of IT Assets (webhosting)
Something free from a magazine Webkey, or your doctor/hospital
• www.acfe.com Assn of Certified Fraud Examiners• ACFE 2008 Report to the Nation on Occupational Fraud and Abuse• (1) “Forensic Accounting and Fraud Examination” Kranacher, Riley, Wells, Wiley 2011
• USB devices, acts like a peripheral instead of a USB
• Provider WebKeys webkey.com• http://
www.nebraskacert.org/CSF/CSF-LT-Aug2011.pdf Aaron Hiltgen UNO research student
• Also QR’s
RecapSome tests are not complexSome are more complex, usually the
challenging part is multiple file processing
Scripting can ease the time involvedScheduling can make the assessment
continuous/periodic Look at the data in more than one wayExceptions may explain other
exceptionsDon’t quit on imperfect dataWho,What,When,Where, Why (difficult)
References/Resources• www.acfe.com Assn of Certified Fraud Examiners• ACFE 2008 Report to the Nation on Occupational Fraud
and Abuse• (1) “Forensic Accounting and Fraud Examination”
Kranacher, Riley, Wells, Wiley 2011• “Fraud Analysis Techniques Using ACL” Coderre, Wiley
2009• IIA (Deloitte) Fraud Data Analysis Class -
http://www.theiia.org/training/index.cfm?act=seminar.detail&semID=199
• ACL Fraud Data Analysis Class - http://www.acl.com/pdfs/Training_252.pdf
• Cressy, Albrecht, Hollinger & Clark